CH A P T E R
13
Configuring Application Acceleration
This chapter describes how to configure the optimization policies on your WAAS system that determine
the types of application traffic that is accelerated over your WAN.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, SM-SRE
modules running WAAS, and vWAAS instances.
This chapter contains the following sections:
•
About Application Acceleration, page 13-1
•
Enabling and Disabling the Global Optimization Features, page 13-3
•
Creating a New Traffic Optimization Policy, page 13-51
•
Managing Application Acceleration, page 13-58
About Application Acceleration
The WAAS software comes with over 150 predefined optimization policies that determine the type of
application traffic your WAAS system optimizes and accelerates. These predefined policies cover the
most common type of application traffic on your network. For a list of the predefined policies, see
Appendix A, “Predefined Optimization Policy.”
Each optimization policy contains the following elements:
•
Application definition—Identifies general information about a specific application, such as the
application name and whether the WAAS Central Manager collects statistics about this application.
•
Class Map—Contains a matching condition that identifies specific types of traffic. For example, the
default HTTP class map matches all traffic going to ports 80, 8080, 8000, 8001, and 3128. You can
create up to 512 class maps and 1024 matching conditions.
•
Policy—Combines the application definition and class map into a single policy. This policy also
determines what optimization and acceleration features (if any) a WAAS device applies to the
defined traffic. You can create up to 512 policies. A policy can also contain a differentiated services
code point (DSCP) marking value that is applied to the traffic and that overrides a DSCP value set
at the application or global level.
You can use the WAAS Central Manager GUI to modify the predefined policies and to create additional
policies for other applications. For more information on creating optimization policies, see the “Creating
a New Traffic Optimization Policy” section on page 13-51. For more information on viewing reports,
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-1
Chapter 13
Configuring Application Acceleration
About Application Acceleration
restoring policies, monitoring applications, and other functions, see the “Managing Application
Acceleration” section on page 13-58.
Note
All application definitions configured in the WAAS Central Manager are globally applied to all WAAS
devices that register with the WAAS Central Manager, regardless of the device group membership
configuration.
WAAS policies can apply two kinds of optimizations to matched traffic:
•
Layer 4 optimizations that include TFO, DRE, and LZ compression. These features can be applied
to all types of TCP traffic.
•
Layer 7 optimizations that accelerate application-specific protocols. The application accelerators
control these kinds of optimizations.
For a given optimization policy, the DRE feature can use different caching modes (beginning with
software version 4.4.1):
•
Bidirectional—The peer WAEs maintain identical caches for inbound and outbound traffic. This
caching mode is best suited where a significant portion of the traffic seen in one direction between
the peers is also seen in the reverse direction. In software versions prior to 4.4.1, this mode is the
only supported caching mode.
•
Unidirectional—The peer WAEs maintain different caches for inbound and outbound traffic. This
caching mode is best suited where a significant portion of the traffic seen in one direction between
the peers is not seen in the reverse direction.
•
Adaptive—The peer WAEs negotiate either bidirectional or unidirectional caching based on the
characteristics of the traffic seen between the peers.
The predefined optimization policies are configured to use the optimal DRE caching mode, depending
on the typical application traffic, though you can change the mode if you want.
Cisco Wide Area Application Services Configuration Guide
13-2
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Enabling and Disabling the Global Optimization Features
The global optimization features determine if TFO Optimization, Data Redundancy Elimination (DRE),
and Persistent Compression are enabled on a device or device group. By default, all of these features are
enabled. If you choose to disable one of these features, the device will be unable to apply the full WAAS
optimization techniques to the traffic that it intercepts.
In addition, the global optimization features include each of the following application accelerators:
CIFS, EPM, HTTP, ICA, MAPI, NFS, SMB, SSL, and video. By default, all of the application
accelerators are enabled except SMB. Encrypted MAPI is also not enabled by default. The application
accelerators also require specific licenses to operate. For information on installing licenses, see the
“Managing Software Licenses” section on page 10-3.
You must enable the accelerator on both of the peer WAEs at either end of a WAN link for all application
accelerators to operate.
To enable or disable a global optimization feature, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears. (See Figure 13-1.)
Note
On WAAS Express devices, only a subset of the standard features are available. (See
Figure 13-2.)
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-3
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-1
Enabled Features Window
Figure 13-2 shows the subset of standard features that are available for a WAAS Express device.
Figure 13-2
Enabled Features Window—WAAS Express
Cisco Wide Area Application Services Configuration Guide
13-4
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
For WAAS Express, the following express versions of application accelerators are supported:
•
CIFS accelerator express (See the “Configuring CIFS Accelerator Express” section on page 13-27)
•
HTTP accelerator express (See the “Configuring HTTP Acceleration” section on page 13-8)
•
SSL accelerator express (See the “Configuring SSL Acceleration” section on page 13-30)
Not all of the properties in the standard WAAS device are available in the WAAS Express version of the
application accelerators.
Note
If you try to enable DRE on a WAAS Express device on which it is not supported, a message
tells you that it is not supported.
The Restore Predefined Settings icon for WAAS Express applies the predefined settings for
HTTP/HTTPS, CIFS, and SSL cipher list and peering service.
Step 3
Place a check next to the optimization features that you want to enable, and uncheck the features that
you want to disable. For a description of each of the optimization features, see the “Key Services of
Cisco WAAS” section on page 1-4.
Some features have additional settings that you can configure by clicking a link next to the setting name.
Hover your cursor over the small target icon next to the link to see a pop-up window that shows the
current settings.
Step 4
If you check the Data Redundancy Elimination check box, you can click the DRE Settings link as a
shortcut to the DRE Settings Configuration window. For more information, see the “Configuring DRE
Settings” section on page 13-7.
Step 5
If you check the CIFS Accelerator check box, you have the following option:
•
Note
CIFS Print Accelerator—Check this box to accelerate print traffic between clients and a Windows
print server. This accelerator is enabled by default when you enable the CIFS accelerator.
Do not disable CIFS Print Acceleration during a client session because this action can interfere
with client use of print services. If you must disable CIFS Print Acceleration, disconnect and
then reestablish the client session.
Step 6
If you check the HTTP Accelerator check box, you can click the HTTP Settings link as a shortcut to
the HTTP/HTTPS Settings window. For more information, see the “Configuring HTTP Acceleration”
section on page 13-8.
Step 7
If you check the ICA Accelerator check box, you can click the ICA Settings link as a shortcut to the
ICA Acceleration Configuration window. For more information, see the “Configuring ICA
Acceleration” section on page 13-28.
Step 8
If you check the MAPI Accelerator check box, you can click the MAPI Settings link as a shortcut to
the MAPI Settings window.
Note
When you check the MAPI Accelerator check box, Encrypted MAPI Traffic Optimization is
enabled by default.
For more information, see the “Configuring MAPI Acceleration” section on page 13-11.
Step 9
If you check the Encrypted MAPI Traffic Optimization check box, you can click the Mandatory
Encryption Configuration link as a shortcut to the Encrypted Services Configuration window.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-5
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
You must enable MAPI acceleration first for Encrypted MAPI acceleration to be enabled.
For more information, see the “Configuring Encrypted MAPI Acceleration” section on page 13-13.
Step 10
If you check the SMB Accelerator check box, you can click the SMB Settings link as a shortcut to the
SMB Acceleration Configuration window. For more information, see the “Configuring SMB
Acceleration” section on page 13-25.
Step 11
If you check the SSL Accelerator check box, you must configure additional settings to enable SSL
acceleration. For more information, see the “Configuring SSL Acceleration” section on page 13-30.
Step 12
If you check the Video Accelerator check box, you can click the Video Settings link as a shortcut to
the Video Acceleration Configuration window. For more information, see the “Configuring Video
Acceleration” section on page 13-23.
Step 13
In the Advanced Settings area, uncheck the Blacklist Operation feature if you want to disable it. This
feature allows a WAE to better handle situations in which TCP setup packets that have options are
blocked or not returned to the WAE device. This behavior can result from network devices (such as
firewalls) that block TCP setup packets that have options, and from asymmetric routes. The WAE can
keep track of origin servers (such as those behind firewalls) that cannot receive optioned TCP packets
and learns not to send out TCP packets with options to these blacklisted servers. WAAS is still able to
accelerate traffic between branch and data center WAEs in situations where optioned TCP packets are
dropped. We recommend leaving this feature enabled.
Step 14
If you want to change the default Blacklist Server Address Hold Time of 60 minutes, enter the new time
in minutes in the Blacklist Server Address Hold Time field. The valid range is 1 minute to 10080 minutes
(1 week).
When a server IP address is added to the blacklist, it remains there for configured hold time. After that
time, subsequent connection attempts will again include TCP options so that the WAE can redetermine
if the server can receive them. It is useful to retry sending TCP options periodically because network
packet loss may cause a server to be erroneously blacklisted.
You can shorten or lengthen the blacklist time by changing the Blacklist Server Address Hold Time field.
Step 15
Click Submit.
The changes are saved to the device or device group.
To configure TFO optimization, DRE, and persistent compression from the CLI, use the tfo optimize
global configuration command.
To configure CIFS acceleration from the CLI, use the accelerator cifs and accelerator cifs preposition
global configuration commands.
To configure CIFS print acceleration from the CLI, use the accelerator windows-print global
configuration command.
To configure EPM acceleration from the CLI, use the accelerator epm global configuration command.
To configure HTTP acceleration from the CLI, use the accelerator http global configuration command.
To configure ICA acceleration from the CLI, use the accelerator ica global configuration command.
To configure MAPI acceleration from the CLI, use the accelerator mapi global configuration command.
To configure NFS acceleration from the CLI, use the accelerator nfs global configuration command.
To configure SMB acceleration from the CLI, use the accelerator smb global configuration command.
Cisco Wide Area Application Services Configuration Guide
13-6
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
To configure SSL acceleration from the CLI, use the accelerator ssl global configuration command.
To configure video acceleration from the CLI, use the accelerator video global configuration command.
To configure the Blacklist Operation feature from the CLI, use the tfo auto-discovery global
configuration command.
To display status and statistics on the application accelerators from the CLI, use the show accelerator
and show statistics accelerator EXEC commands. To display statistics on the Windows print
accelerator, use the show statistics windows-print requests EXEC command.
For details on configuring individual application accelerators, see the following sections:
•
Configuring HTTP Acceleration, page 13-8
•
Configuring MAPI Acceleration, page 13-11
•
Configuring Encrypted MAPI Acceleration, page 13-13
•
Configuring Video Acceleration, page 13-23
•
Configuring CIFS Accelerator Express, page 13-27
•
Configuring SMB Acceleration, page 13-25
•
Configuring ICA Acceleration, page 13-28
•
Configuring SSL Acceleration, page 13-30
•
For CIFS: Chapter 12, “Configuring File Services”
Configuring DRE Settings
To enable DRE settings, check the Data Redundancy Elimination check box in the Enabled Features
window (see Figure 13-1 on page 13-4).
To configure the DRE auto bypass and load monitor settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > DRE Settings.
The DRE Settings window appears.
Step 3
Check the Enable DRE auto bypass check box to generate an alarm and automatically DRE bypass
application traffic.
Step 4
Check the Enable DRE Load Monitor check box to enable load report.
Step 5
Click Submit.
The changes are saved to the device or device group.
To enable DRE auto bypass from the CLI, use the dre auto-bypass enable global configuration
command.
To enable DRE load monitor from the CLI, use the dre load-monitor report global configuration
command.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-7
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Configuring HTTP Acceleration
The HTTP application accelerator accelerates HTTP traffic. SSL traffic that uses HTTPS can be
optimized by both SSL and HTTP optimizations.
The default Web optimization policy is defined to send traffic to the HTTP accelerator. The Web
optimization policy uses the HTTP class map, which matches traffic on ports 80, 8080, 8000, 8001, and
3128. If you expect HTTP traffic on other ports, add the other ports to the HTTP class map.
To enable the HTTP accelerator, check the HTTP Accelerator check box in the Enabled Features window
(see Figure 13-1 on page 13-4).
To configure the HTTP acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > HTTP/HTTPS Settings.
The HTTP Acceleration Settings window appears. (See Figure 13-3.)
Note
For WAAS Express, the HTTP acceleration settings are the same but the fields are laid out
differently in the HTTP/HTTPS Settings window.
Figure 13-3
HTTP Acceleration Settings Window
Cisco Wide Area Application Services Configuration Guide
13-8
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 3
Check the Enable HTTP metadatacache caching check box to enable the WAE to cache HTTP header
(metadata) information. The default setting is enabled.
This box must be checked to enable any of the other settings in the Metadata Cache Settings area. If this
box is not checked, no header caching is done.
For details on HTTP metadata caching, see the “About HTTP Metadata Caching” section on page 13-10.
Step 4
Check the Enable HTTPS metadatacache caching check box to enable the WAE to cache HTTPS
header (metadata) information (HTTP as payload in SSL traffic). The default setting is checked
(enabled).
For details on HTTP metadata caching, see the “About HTTP Metadata Caching” section on page 13-10.
Step 5
In the Maximum age of a cache entry field, enter the maximum number of seconds to retain HTTP header
information in the cache. The default is 86400 seconds (24 hours). Valid time periods range from
5–2592000 seconds (30 days).
Step 6
In the Minimum age of a cache entry field, enter the minimum number of seconds to retain HTTP header
information in the cache. The default is 60 seconds. Valid time periods range from 5 to 86400 seconds
(24 hours).
Step 7
Check the Enable local HTTP 301 redirect messages check box to enable the WAE to cache and locally
serve HTTP 301 messages. The default setting is checked.
Step 8
Check the Enable local HTTP 401 Authentication-required messages check box to enable the WAE
to cache and locally serve HTTP 401 messages. The default setting is checked.
Step 9
Check the Enable local HTTP 304 Not-Modified messages check box to enable the WAE to cache
HTTP 200 and 304 messages and locally serve HTTP 304 messages. The default setting is checked.
Step 10
To configure specific file extensions to which metadata caching is to be applied, enter the file extensions
in the File extension filters field at the far right. Separate multiple extensions with a comma (for
example: jpeg, gif, png) and do not include the dot at the beginning of the file extension.
By default, no file extension filters are defined and therefore metadata caching applies to all file types.
Step 11
Check the Enable Pre-fetch Optimization check box to allow the edge WAAS device to prefetch data.
This setting is not enabled by default.
This optimization benefits Web browser-based Office applications when they access Microsoft Office
documents (MS Word and Excel only) hosted on a Microsoft SharePoint Server 2010. For viewing Word
documents, the client must have Microsoft Silverlight installed.
By checking this box, you are telling the edge WAAS device to prefetch the subsequent pages of the
documents from the SharePoint server before the client actually requests them and serve them from the
cache when the request from the client arrives. You can now seamlessly scroll through the document
without having to wait for the content to load.
Note
Step 12
SharePoint prefetch optimization works with view in browser mode only.
Check the Suppress server compression for HTTP and HTTPS check box to configure the WAE to
suppress server compression between the client and the server. The default setting is checked.
By checking this box, you are telling the WAE to remove the Accept-Encoding value from HTTP and
HTTPS request headers, preventing the web server from compressing HTTP and HTTPS data that it
sends to the client. This allows the WAE to apply its own compression to the HTTP and HTTPS data,
typically resulting in much better compression than the web server for most files. For some file types
that rarely change, such as .css and .js files, this setting is ignored and web server compression is
allowed.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-9
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 13
Check the Enable DRE Hints for HTTP and HTTPS check box to send DRE hints to the DRE module
for improved DRE performance. The DRE hint feature is enabled by default.
Step 14
Click Submit.
The changes are saved to the device or device group.
To configure HTTP acceleration from the CLI, use the accelerator http global configuration command.
To show the contents of the metadata cache, use the show cache http-metadatacache EXEC command.
To clear the metadata cache, use the clear cache http-metadatacache EXEC command.
To enable or disable specific HTTP accelerator features for specific clients or IP subnets, use the HTTP
accelerator subnet feature. For more details, see the “Using an HTTP Accelerator Subnet” section on
page 13-10.
About HTTP Metadata Caching
The metadata caching feature allows the HTTP accelerator in the branch WAE to cache particular server
responses and respond locally to clients. The following server response messages are cached:
•
HTTP 200 OK (Applies to If-None-Match and If-Modified-Since requests)
•
HTTP 301 redirect
•
HTTP 304 not modified (Applies to If-None-Match and If-Modified-Since requests)
•
HTTP 401 authentication required
Metadata caching is not applied in the following cases:
Note
•
Requests and responses that are not compliant with RFC standards
•
URLs over 255 characters
•
301 and 401 responses with cookie headers
•
HEAD method is used
•
Pipelined transactions
The metadata caching feature is introduced in WAAS version 4.2.1, but version 4.2.1 is needed only on
the branch WAE. This feature can interoperate with an HTTP accelerator on a data center WAE that has
a lower version.
Using an HTTP Accelerator Subnet
The HTTP accelerator subnet feature allows you to selectively enable or disable specific HTTP
optimization features for specific IP subnets by using ACLs. This feature can be applied to the following
HTTP optimizations: HTTP metadata caching, HTTPS metadata caching, DRE hints, and suppress
server compression.
To define IP subnets, use the ip access-list global configuration command. Refer to this command in the
Cisco Wide Area Application Services Command Reference for information on configuring subnets. You
can use both standard and extended ACLs.
To configure a subnet for an HTTP accelerator feature, follow these steps:
Cisco Wide Area Application Services Configuration Guide
13-10
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 1
Enable the global configuration for all the HTTP accelerator features that you want to use.
Step 2
Create an IP access list to use for a subnet of traffic.
WAE(config)# ip access-list extended md_acl
WAE(config-ext-nacl)# permit ip 1.1.1.0 0.0.0.255 any
WAE(config-ext-nacl)# permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
WAE(config-ext-nacl)# exit
Step 3
Associate the ACL with a specific HTTP accelerator feature. Refer to the accelerator http global
configuration command in the Cisco Wide Area Application Services Command Reference for
information on associating an ACL with an HTTP accelerator feature.
WAE(config)# accelerator http metadatacache access-list md_acl
In this example, the HTTP metadata cache feature applies to all the connections that match the
conditions specified in the extended access-list md_acl.
In the following example, the HTTP suppress-server-encoding feature applies to all the connections that
match the conditions specified in the standard access-list 10.
WAE(config)# ip access-list standard 10
WAE(config-std-nacl)# permit 1.1.1.0 0.0.0.255
WAE(config-std-nacl)# exit
WAE(config)# accelerator http suppress-server-encoding accesslist 10
For the features (DRE hints and HTTPS metadata cache in this example) that do not have an ACL
associated with them, the global configuration is used and they are applicable to all the connections.
Configuring MAPI Acceleration
The MAPI application accelerator accelerates Microsoft Outlook Exchange traffic that uses the
Messaging Application Programming Interface (MAPI) protocol. Microsoft Outlook 2000–2010 clients
are supported. Clients can be configured with Outlook in cached or noncached mode; both modes are
accelerated.
Secure connections that use message authentication (signing) are not accelerated, and MAPI over HTTP
is not accelerated.
Note
Microsoft Outlook 2007 and 2010 have encryption enabled by default. You must disable encryption to
benefit from the MAPI application accelerator.
The EPM application accelerator must be enabled for the MAPI application accelerator to operate. EPM
is enabled by default. Additionally, the system must define an optimization policy of type EPM, specify
the MAPI UUID, and have an Accelerate setting of MAPI. This policy, MAPI for the
Email-and-Messaging application, is defined by default.
EPM traffic, such as MAPI, does not normally use a predefined port. If your Outlook administrator has
configured Outlook in a nonstandard way to use a static port, you must create a new basic optimization
policy that accelerates MAPI traffic with a class map that matches the static port that was configured for
Outlook.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-11
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
If the WAE becomes overloaded with connections, the MAPI application accelerator continues to
accelerate MAPI connections by using internally reserved connection resources. If the reserved
resources are also exceeded, new MAPI connections are passed through until connection resources
become available.
To enable the MAPI accelerator, check the MAPI Accelerator check box in the Enabled Features window
(see Figure 13-1 on page 13-4).
Note
When you enable MAPI acceleration, Encrypted MAPI acceleration is enabled by default.
To configure MAPI acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > MAPI Settings.
The MAPI Acceleration Settings window appears. (See Figure 13-4.)
Figure 13-4
Step 3
MAPI Acceleration Settings Window
In the Reserved Pool Size Maximum Percent field, enter the maximum percent of connections to
restrict the maximum number of connections reserved for MAPI optimization during TFO overload. It
is specified as a percent of the TFO connection limit of the platform. Valid percent ranges from 5%-50%.
The default is 15%, which would reserve approximately 0.5 connection for each client-server
Association Group (AG) optimized by the MAPI accelerator.
The client maintains at least one AG per server it connects to with an average of about 3 connections per
AG. For deployments that observe a greater average number of connections per AG, or where TFO
overload is a frequent occurrence, a higher value for reserved pool size maximum percent is
recommended.
Reserved connections would remain unused when the device is not under TFO overload. Reserved
connections are released when the AG terminates.
Step 4
Click Submit. The changes are saved to the device or device group.
Cisco Wide Area Application Services Configuration Guide
13-12
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Configuring Encrypted MAPI Acceleration
The Encrypted MAPI acceleration feature provides WAN optimization for secure MAPI application
protocols using MS-Kerberos security protocol and Windows Active Directory identity for
authentication of clients and/or servers in the domain.
Note
You must enable MAPI acceleration first for Encrypted MAPI acceleration to be enabled. Encrypted
MAPI acceleration is enabled by default.
This section contains the following topics:
•
Task Flow for Configuring Encrypted MAPI, page 13-13
•
Configuring Encrypted MAPI Settings, page 13-14
•
Configuring a Machine Account Identity, page 13-16
•
Creating and Configuring a User Account, page 13-17
•
Configuring Microsoft Active Directory, page 13-19
•
Managing Domain Identities and Encrypted MAPI State, page 13-21
Task Flow for Configuring Encrypted MAPI
To configure Encrypted MAPI traffic acceleration, complete the tasks listed in Table 13-1. These tasks
must be performed on both data center and branch WAEs unless specifically noted as not required (or
optional).
Table 13-1
Tasks for Configuring Encrypted MAPI
Task
1. Configure DNS Settings.
2.
Configure NTP Settings.
3.
Verify WAE devices are registered and
online with the WAAS Central Manager.
4.
Configure SSL Peering Service.
5.
Verify WAN Secure mode is enabled.
6.
Configure windows domain settings and
perform domain join.
(The domain join function automatically
creates the machine account in Active
Directory.)
Additional Information and Instructions
To configure DNS settings, see the “Configuring the
DNS Server” section on page 6-26.
To synchronize the time with Active Directory, see the
“Configuring NTP Settings” section on page 10-5.
To verify WAE devices are registered and online with
the WAAS Central Manager, see the “Devices
Window” section on page 17-6.
To configure SSL Peering Service, see the
“Configuring SSL Peering Service” section on
page 13-45.
To verify WAN Secure mode is enabled, use the
show accelerator wansecure EXEC command.
To configure Windows Domain Server Authentication
settings, see the “Configuring Windows Domain
Server Authentication Settings” section on page 7-16
section.
Note that performing a domain join of the WAE is not
required on branch WAE devices.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-13
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Table 13-1
Tasks for Configuring Encrypted MAPI (continued)
Task
Additional Information and Instructions
7. Configure domain identities (for machine To configure a machine account identity, see the
account and optional user accounts).
“Configuring a Machine Account Identity” section on
page 13-16.
(Optional) To create a user account and configure a
user account identity, see the “Creating and
Configuring a User Account” section on page 13-17.
8.
Enable Windows Domain Encrypted
Service.
9.
Enable Encrypted MAPI Traffic
Optimization.
Note that configuring domain identities is not required
on branch WAE devices.
To enable the Windows Domain Encrypted Service,
navigate to the Configure > Security > Windows
Domain > Encrypted Services page and check the
Enable Encrypted Service check box.
To enable Encrypted MAPI Traffic, see the “Enabling
and Disabling the Global Optimization Features”
section on page 13-3.
Configuring Encrypted MAPI Settings
To configure Encrypted MAPI acceleration, follow these steps:
Step 1
Configure DNS Settings.
The WAAS DNS server must be part of the DNS system of Windows Active Directory domains to
resolve DNS queries for traffic encryption.
To configure DNS settings, see the “Configuring the DNS Server” section on page 6-26.
Step 2
Configure NTP Settings to synchronize the time with Active Directory.
The WAAS device has to be in synchronization with Active Directory for Encrypted MAPI acceleration.
The WAAS NTP server must share time synchronization with the Active Directory Domain Controllers
domains for which traffic encryption is desired. Out of sync time will cause Encrypted MAPI
acceleration to fail.
To synchronize the time with Active Directory, see the “Configuring NTP Settings” section on
page 10-5.
Step 3
Verify WAE devices are registered and online with the WAAS Central Manager.
To verify WAE devices are registered and online with the WAAS Central Manager, see the “Devices
Window” section on page 17-6.
Step 4
Configure SSL Peering Service.
Note
SSL accelerator must be enabled and in the running state.
To configure SSL Peering Service, see the “Configuring SSL Peering Service” section on page 13-45.
Step 5
Verify WAN Secure mode is enabled.
The default mode is Auto. You can verify the state of WAN Secure mode using the following EXEC
command:
Cisco Wide Area Application Services Configuration Guide
13-14
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
show accelerator wansecure
If necessary, you can change the state of WAN Secure using the following global configuration
command:
accelerator mapi wansecure-mode {always | auto | none}
Step 6
Configure Windows domain settings and perform a domain join. (A domain join automatically creates
the machine account in Active Directory.)
Note
Performing a domain join of the WAE is not required on branch WAE devices.
Note
This step is optional on data center WAEs if only user accounts are used for domain identity
configuration in the next step.
To configure Windows Domain Server Authentication settings, see the “Configuring Windows Domain
Server Authentication Settings” section on page 7-16.
Note
Step 7
Kerberos authentication is used for Encrypted MAPI Acceleration. NTLM authentication
method is not supported.
Configure domain identities. (Not required for branch WAEs.)
You must have at least one account configured, either user or machine, that is configured with a domain
identity. Each device can support up to 5 domain identities,1 machine account identity and 4 user account
identities. This allows a WAAS device to accelerate up to 5 domain trees. You must configure a domain
identity for each domain with an exchange server that has clients to be accelerated.
a.
Configure the machine account identity.
A machine account for the core device was automatically created during the join process in the
Windows Domain Server authentication procedure in the previous step. If you are using a machine
account, a machine account identity must be configured for this account.
Each device only supports one machine account identity.
To configure a machine account identity, see the “Configuring a Machine Account Identity” section
on page 13-16.
b.
Create and configure optional user accounts.
You may utilize up to four optional user accounts for additional security. Multiple user accounts
provide greater security than having all of the core devices using a single user account. You are
required to configure a user account identity for each user account, whether you are utilizing an
existing user account or creating a new one.
To create a user account and configure a user account identity, see the “Creating and Configuring a
User Account” section on page 13-17.
Step 8
Enable Windows Domain Encrypted Service. (Enabled by default.)
a.
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
b.
From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The
Encrypted Services window appears.
c.
Check the Enable Encrypted Service check box.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-15
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
d.
Step 9
Click Submit to save your changes.
Enable Encrypted MAPI Traffic Optimization.
From the Enabled Features window, check the Encrypted MAPI Traffic Optimization check box (the
MAPI Accelerator check box must also be checked), and click Submit. Encrypted MAPI traffic
optimization is enabled by default.
For more information on the Enabled Features window, see the “Enabling and Disabling the Global
Optimization Features” section on page 13-3.
Configuring a Machine Account Identity
To configure an identity for a machine account, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The
Encrypted Services window appears.
Step 3
Click the Add Domain Identity button to add a machine account domain identity. (See Figure 13-6.)
Every WAAS device to be accelerated must have a domain identity.
Figure 13-5
a.
Add Domain Identity—Machine Account
Select Machine Account from the Account Type drop-down list.
Note
Windows domain join must be completed before creating the machine account domain
identity. See the “Configuring Windows Domain Server Settings on a WAAS Device”
section on page 7-17 for more information.
Cisco Wide Area Application Services Configuration Guide
13-16
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
b.
Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain
space, ?, |), not exceeding 32 characters.
Note
Step 4
The domain identity must have sufficient privileges in the Windows Domain Active
Directory to replicate the desired domain information to optimize encrypted traffic. To
configure privileges, see the “Configuring Microsoft Active Directory” section on
page 13-19.
Click OK. The domain identity appears in the Encrypted Services Domain Identities list. (See
Figure 13-6.)
Figure 13-6
Encrypted Services—Domain Identity
To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain
encrypted-service global configuration command and the show windows-domain encrypted-service
EXEC command.
Creating and Configuring a User Account
To create a user account and configure a user account identity, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears. (See Figure 13-7.)
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-17
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-7
Step 3
Click the Add Domain Identity button to add a user account domain identity. The Domain Identity
window appears. (See Figure 13-8.)
Figure 13-8
Add Domain Identity—User Account
a.
Select user account from the Account Type drop-down list.
b.
Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain
space, ?, |), not exceeding 32 characters.
c.
Enter username and password information.
d.
Enter the domain name.
e.
Enter the Kerberos realm.
Note
Step 4
Encrypted Services
The domain identity must have sufficient privileges in the Windows Domain Active Directory to
replicate the desired domain information to optimize encrypted traffic. To configure privileges,
see the “Configuring Microsoft Active Directory” section on page 13-19.
Click OK. The domain identity appears in the Encrypted Services Domain Identities list.
Cisco Wide Area Application Services Configuration Guide
13-18
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
Secure store encryption is used for the user account domain identity password. If secure store
cannot be opened, an alarm is raised indicating that the configuration updates could not be stored
on the device. Once secure store can be opened and the configuration updates are successfully
stored on the device, the alarm is cleared.
To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain
encrypted-service global configuration command and the show windows-domain encrypted-service
EXEC command.
Configuring Microsoft Active Directory
To grant Cisco WAAS permission to accelerate Exchange encrypted email sessions, follow these steps:
Step 1
Using an account with Domain Administrator privileges, launch the Active Directory Users and
Computers application.
Step 2
Create a new group.
Note
a.
This group is for accounts that WAAS will use to optimize Exchange traffic. Normal users and
computers should not be added to this group.
Right-click the Organizational Unit (OU) to contain the new group and choose New > Group.(See
Figure 13-9.)
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-19
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-9
b.
Active Directory—Add Group
Enter a name in the Group name fields and select the following attributes:
– Group scope: Universal
– Group type: Security
c.
Step 3
Click OK.
Configure the permissions required by WAAS.
a.
In the Active Directory Users and Computers application window, select View >
Advanced Features from the menu bar.
b.
Right-click on the root of the domain and choose Properties.
c.
Select the Security tab. (See Figure 13-10.)
Cisco Wide Area Application Services Configuration Guide
13-20
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-10
Active Directory—Security Tab
d.
Click Add in the Group or User Names section.
e.
Enter the name of the new group that you created in this procedure in the Enter the object names to
select field and click OK to add the new group to the list.
f.
Select the new group in the Group or user names list and set the following permissions to Allow:
– Replicating Directory Changes
– Replicating Directory Changes All
g.
Step 4
Click OK.
Add an account to the group.
User or workstation (computer) accounts must be added to the new group for WAAS Exchange
Encrypted email optimization.
a.
Right-click on the account you want to add and select the Member Of tab.
b.
Click Add.
c.
Choose the new group you created and click OK.
Active Directory permissions configuration is complete.
Managing Domain Identities and Encrypted MAPI State
This section contains the following topics:
•
Editing an Existing Domain Identity, page 13-22
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-21
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Deleting an Existing Domain Identity, page 13-22
•
Disabling Encrypted MAPI, page 13-23
•
Encrypted MAPI Acceleration Statistics, page 13-23
Editing an Existing Domain Identity
You can modify the attributes of an existing domain identity on a WAAS device, if needed.
Note
If the password for a user account has been changed in Active Directory, you must edit the user account
domain identity on the WAAS device to match the new Active Directory password.
The following restrictions apply:
•
For a machine account identity, only the state of the domain identity (enabled or disabled) can be
modified from a WAAS device.
•
For a user account identity, only the state of the domain identity (enabled or disabled) and the
password can be modified from a WAAS device.
To change the password for a user account domain identity on a WAAS device when the password for
the account in Active Directory has changed, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3
Select the user account domain identity to modify and click the Edit icon.
The Domain Identity window appears.
Step 4
Change the password in the password field. The password should be the same as the password for the
account in Active Directory.
Step 5
Click OK.
Deleting an Existing Domain Identity
To delete a domain identity on a WAAS device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3
Select one or more domain identities to delete and click the Delete icon to remove the domain identity
configured on the WAAS device.
A warning message appears if the domain identity is being used for optimizing encrypted traffic.
Step 4
Click OK to accept or Cancel to abort the procedure.
Cisco Wide Area Application Services Configuration Guide
13-22
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Disabling Encrypted MAPI
To disable Encrypted MAPI, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Disable Encrypted Service.
a.
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3
b.
Uncheck the Enable Encrypted Service check box.
c.
Click Submit to save your changes.
Disable Encrypted MAPI Traffic Optimization.
a.
From the menu, choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears.
b.
Uncheck the Encrypted MAPI Traffic Optimization check box.
c.
Click Submit to save your changes.
Encrypted MAPI Acceleration Statistics
To view statistics for Encrypted MAPI connections, see the “Using Predefined Reports to Monitor
WAAS” section on page 17-35 and see the MAPI acceleration reports.
Configuring Video Acceleration
The video application accelerator accelerates Windows Media live video broadcasts that use RTSP over
TCP. The video accelerator automatically splits one source video stream from the WAN into multiple
streams to serve multiple clients on the LAN.
The video accelerator automatically causes the client that is requesting a UDP stream to do a protocol
rollover to use TCP (if both the client and server allow TCP).
The default RTSP class map for the Streaming optimization policy is defined to send traffic to the video
accelerator.
By default, the video accelerator sends any unaccelerated video traffic to be handled by the negotiated
standard TCP optimization policy unless the video accelerator is explicitly configured to drop such
traffic. You can choose to drop all unaccelerated video traffic or only traffic that is unaccelerated due to
an overload condition.
To enable the video accelerator, check the Video Accelerator check box in the Enabled Features window
(see Figure 13-1 on page 13-4).
To configure the video acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Video Settings.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-23
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The Video Acceleration Configuration window appears. (See Figure 13-11.)
Figure 13-11
Video Acceleration Configuration Window
Step 3
In the Client First Message Reception Timeout field, enter the number of seconds to wait for the first
message from the client and the first response from the server, after the connection is accepted by the
video accelerator, before timing out the connection. Valid values range from 10–180 seconds. The
default is 60.
Step 4
In the drop-down list, choose which unaccelerated video traffic to drop, as follows:
•
All—Drop all video traffic that is not being accelerated due to an unsupported transport or format,
or overload. All Windows Media video-on-demand traffic and all non-Windows Media RTSP traffic
is dropped.
•
Overload Only—Drop all video traffic that is not being accelerated due to an accelerator overload
only.
•
None—Handle unaccelerated video connections with the negotiated TCP optimization policy. (The
traffic is not dropped.)
Note
Under some conditions, the video accelerator is not registered with the policy engine, such as
when there is no valid license or in certain error conditions. If you configure the video
accelerator to drop all unaccelerated video traffic, the policy engine drops all video traffic (even
traffic that would have been accelerated if the video accelerator had been properly registered
with the policy engine).
Step 5
Check the Enable transaction logs check box to enable transaction logging. This feature will generate
a large amount of logging data. This box is unchecked by default. Click the More Settings link to go to
the Windows Media Transaction Log Settings configuration page.
Step 6
Check the Enable log forwarding check box to enable forwarding of Windows Media logs to the
upstream Windows Media Server. This box is checked by default.
Step 7
In the Client Idle Connection timeout field, enter the maximum number of seconds to wait after the
initial client request, while the client connection is idle, before timing out the connection. Valid values
range from 30–300 seconds. The default is 60.
Step 8
Click Submit.
Cisco Wide Area Application Services Configuration Guide
13-24
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The changes are saved to the device or device group.
To configure video acceleration from the CLI, use the accelerator video global configuration command.
Configuring SMB Acceleration
The SMB application accelerator handles optimizations of file server operations. It can be configured to
perform the following file server optimizations:
•
Read Ahead optimization—The SMB accelerator performs a read-ahead optimization on files that
use the oplock feature. When a client sends a read request for a file, it is likely that it may issue more
read requests for the same file. To reduce the use of network bandwidth to perform these functions
over the WAN on the file server, the SMB accelerator performs read-ahead optimization by
proactively reading more file data than what has been initially requested by the client.
•
Directory listing optimization—A significant portion of the traffic on the network is for retrieving
directory listings. The SMB accelerator optimizes directory listings from the file server through
prefetching. For directory prefetching, a request from the client is expanded to prefetch up to 64 KB
of directory listing content. The SMB accelerator buffers the pre-fetched directory listing data until
the client has requested all the data. If the directory listing size exceeds 64 KB then a subsequent
request from the client is expanded by the SMB accelerator again to prefetch content up to 64 KB.
This continues until all the entries of the directory are returned to the client.
•
Metadata optimization—The SMB accelerator optimizes fetching metadata from the file server
through metadata prefetching. Additional metadata requests are tagged along with the client request
and are sent to the file server to prefetch more information levels than what was requested by the
client.
•
Named Pipe optimization—The SMB accelerator optimizes frequent requests from Windows
Explorer to the file server to retrieve share, server, and workstation information. Each of these
requests involves a sequence of operations that include opening and binding to the named pipe,
making the RPC request, and closing the named pipe. Each operation incurs a round trip to the file
server. To reduce the use of network bandwidth to perform these functions over the WAN on the file
server, the SMB accelerator optimizes the traffic on the network by caching named pipe sessions and
positive RPC responses.
•
Write optimization—The SMB accelerator performs write optimization by speeding up the write
responses to the client by acknowledging the Write requests to the client whenever possible and, at
the same time, streaming the Write request over the WAN to the server.
•
Not-Found Metadata caching—Applications sometimes send requests for directories and files that
do not exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams
(ADS) of the file it finds. With negative Not-Found (NF) metadata caching, the full paths to those
nonexistent directories and files are cached so that further requests for the same directories and files
get local denies to save the round-trips of sending these requests to the file servers.
•
DRE-LZ Hints—The SMB accelerator provides DRE hints to improve system performance and
resources utilization. At the connection level, the SMB accelerator uses the BEST_COMP latency
sensitivity level for all connections, as it gives the best compression. At the message level, the SMB
accelerator provides message-based DRE hints for each message to be transmitted over the WAN.
•
Microsoft optimization—The SMB accelerator optimizes file operations for Microsoft applications
by identifying lock request sequences for file name patterns supported by Microsoft Office
applications.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-25
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Invalid FID optimization—The SMB accelerator optimizes SMB2 clients by locally denying
attempts to access files with invalid file handle values instead of sending such requests to the file
servers.
•
Batch Close optimization—The SMB accelerator performs asynchronous file close optimizations on
SMB2 traffic.
To enable the SMB accelerator, check the SMB Accelerator check box in the Enabled Features window.
Note
The CIFS accelerator and SMB accelerator are mutually exclusive. Both of these cannot be enabled at
the same time.
To configure the SMB acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > SMB Settings.
The SMB Optimization Bypass Settings window appears. (See Figure 13-12.)
Figure 13-12
Step 3
SMB Accelerator Configuration Window
In the Highest Dialect Optimized drop-down list, choose the highest dialect to optimize. The available
options are:
•
NTLM 0.12 or NTLM 1.0
•
SMB 2.0
•
SMB 2.1
Cisco Wide Area Application Services Configuration Guide
13-26
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 4
In the Highest Dialect Optimized Exceed Action drop-down list, choose the action for the dialects that
are higher than the one chosen as the highest dialect to optimize, as follows:
•
Handoff—If the negotiated dialect is higher than the chosen highest dialect to optimize, the
connection is handed off to the generic accelerator.
•
Mute—The dialects higher than the one chosen as the highest dialect to optimize are removed from
the negotiation list.
Step 5
In the Bypass File Name Pattern text box, enter the patterns for the file names that you want the SMB
accelerator to bypass optimization for. The files whose names match the specified expressions are not
optimized.
Step 6
Check the Read Ahead Optimization check box to enable the SMB to optimize the quantity of
read-ahead data from the file. The SMB performs a read-ahead optimization only when the file is opened
using the ops lock feature. This box is checked by default.
Step 7
Check the Meta Data Optimization check box to enable metadata optimization. This box is checked by
default.
Step 8
Check the Named Pipe Optimization check box to enable named pipe optimization by caching named
pipe sessions and positive RPS responses. This box is checked by default.
Step 9
Check the Write Optimization check box to enable the write optimization by speeding up the write
responses to the client. This box is checked by default
Step 10
Check the Microsoft Office Optimization check box to enable optimizations for all versions of
Microsoft Office. The SMB accelerator does not perform read-ahead, write optimization, and lock-ahead
for Microsoft Office if this optimization is disabled. This box is checked by default.
Step 11
Check the ‘Not Found’ Cache Optimization check box to enable caching pathnames of files not found.
This box is checked by default.
Step 12
Check the Invalid FID Optimization check box to enable optimization of handling files with invalid
file handle values. This box is checked by default.
Step 13
Check the Batch Close Optimization check box to enable asynchronous file close optimizations. This
box is checked by default.
Step 14
Click Submit to save the changes.
To configure SMB acceleration from the CLI, use the accelerator smb global configuration command.
Configuring CIFS Accelerator Express
The CIFS application accelerator express handles optimizations of file server operations on a WAAS
Express device. It interoperates with either the standard CIFS accelerator or the standard SMB
accelerator on a standard WAAS device.
CIFS accelerator express can be configured to perform the following file server optimizations:
•
Write optimization—CIFS accelerator express performs write optimization by speeding up the write
responses to the client by acknowledging the Write requests to the client whenever possible and, at
the same time, streaming the Write request over the WAN to the server.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-27
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Read Ahead optimization—CIFS accelerator express performs a read-ahead optimization on files
that use the oplock feature. When a client sends a read request for a file, it is likely that it may issue
more read requests for the same file. To reduce the use of network bandwidth to perform these
functions over the WAN on the file server, the SMB accelerator performs read-ahead optimization
by proactively reading more file data than what has been initially requested by the client.
•
ADS Negative Cache—Applications sometimes send requests for directories and files that do not
exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams (ADS) of
the file it finds. With ADS Negative caching, the full paths to those nonexistent directories and files
are cached so that further requests for the same directories and files get local denies to save the
round-trips of sending these requests to the file servers.
To enable CIFS accelerator express, check the CIFS Accelerator Express check box in the Enabled
Features window.
To configure the CIFS accelerator express settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > CIFS Settings.
The CIFS Optimization Bypass Settings window appears.
Step 3
Check the Write Optimization check box to enable the write optimization by speeding up the write
responses to the client. This box is checked by default
Step 4
Check the Read Ahead Optimization check box to enable CIFS accelerator express to optimize the
quantity of read-ahead data from the file. CIFS accelerator express performs a read-ahead optimization
only when the file is opened using the ops lock feature. This box is checked by default.
Step 5
Check the ADS Negative Cache check box to enable caching pathnames of files not found. This box is
checked by default.
Step 6
Click Submit to save the changes.
To configure CIFS accelerator express from the CLI, use the accelerator cifs global configuration
command.
Configuring ICA Acceleration
The ICA application accelerator provides WAN optimization on a WAAS device for ICA (Independent
Computing Architecture) traffic which is used to access a virtual desktop infrastructure (VDI). This is
done through a process that is both automatic and transparent to the client and server.
ICA acceleration is enabled on a WAAS device by default.
To enable the ICA accelerator, check the ICA Accelerator check box in the Enabled Features window
(see Figure 13-13 on page 13-29).
To configure the ICA acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > ICA Settings.
Cisco Wide Area Application Services Configuration Guide
13-28
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The ICA Acceleration Configuration window appears. (See Figure 13-11.)
Figure 13-13
ICA Acceleration Configuration Window
Step 3
Check the Enable Multi Stream ICA check box to allow the client and server up to three additional
TCP connections that optimize multi stream ICA traffic.
Step 4
In the WAN Secure Mode drop-down list, choose the mode, as follows:
•
None—Disables WAN Secure mode for ICA. This is the default.
•
Always—Enables WAN Secure mode for ICA.
Note
Step 5
In the DSCP Settings (QoS) for ICA Streams section, check the Enable DSCP Tagging check box to
configure DSCP values for MSI priority levels. These values override the defaults (the range is from 0
to 63).
Note
Configure DSCP values for MSI priority levels in the descending order of the priority.
a.
Very-High Priority MSI—Typically real time traffic, such as audio (the default is af41)
b.
High Priority MSI—Typically interactive traffic (the default is af41)
c.
Medium Priority MSI—Typically bulk data (the default is af21)
d.
Low Priority MSI—Typically background traffic, such as printing (the default is 0—best effort)
e.
Non-MSI—(the default is af21)
Note
Step 6
The state of WAN Secure mode in both Branch WAE and Data Center WAE must match for
connections to get optimized with the ICA accelerator.
MSI priority configuration might not apply to devices earlier than version 5.1.x.
Click Submit.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-29
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The changes are saved to the device or device group.
To configure ICA acceleration from the CLI, use the accelerator ica global configuration command.
To verify the status of WAN Secure mode from the CLI, use the show accelerator wansecure EXEC
command.
Configuring SSL Acceleration
The SSL application accelerator optimizes traffic on Secure Sockets Layer (SSL) encrypted connections.
If SSL acceleration is not enabled, the WAAS software DRE optimizations are not very effective on SSL
encrypted traffic. The SSL application acceleration enables WAAS to decrypt and apply optimizations
while maintaining the security of the connection.
Note
On a WAAS Express device, only SSL cipher list, SSL certificate authorities, and SSL peering service
configuration is supported.
Note
The SSL accelerator does not optimize protocols that do not start their SSL/TLS handshake from the
very first byte. The only exception is HTTPS that goes through a proxy (where the HTTP accelerator
detects the start of SSL/TLS). In this case, both HTTP and SSL accelerators optimize the connection.
The SSL application accelerator supports SSL Version 3 (SSLv3) and Transport Layer Security
Version 1 (TLSv1) protocols. If a TLSv1.1 or TLSv1.2 client request is received, negotiation to
downgrade to TLS v1.0 occurs. If refused by the client, the traffic is passed through.
Table 13-2 provides an overview of the steps you must complete to set up and enable SSL acceleration.
Table 13-2
Checklist for Configuring SSL Acceleration
Task
Additional Information and Instructions
1. Prepare for configuring SSL acceleration. Identifies the information that you need to gather before configuring SSL
acceleration on your WAAS devices. For more information, see the
“Preparing to Use SSL Acceleration” section on page 13-31.
2. Enable secure store, the Enterprise
Describes how to set up Central Manager secure store, how to enable the
License, and SSL acceleration.
Enterprise License, and how to enable SSL acceleration. Secure store mode
is required for secure handling of the SSL encryption certificates and keys.
For more information, see the “Enabling Secure Store, the Enterprise
License, and SSL Acceleration” section on page 13-32.
3. Enable SSL application optimization.
Describes how to activate the SSL acceleration feature. For more
information, see the “Enabling and Disabling the Global Optimization
Features” section on page 13-3.
4. Configure SSL acceleration settings.
(Optional) Describes how to configure the basic setup of SSL acceleration.
For more information, see the “Configuring SSL Global Settings” section on
page 13-33.
5. Create and manage cipher lists.
(Optional) Describes how to select and set up the cryptographic algorithms
used on your WAAS devices. For more information, see the “Working with
Cipher Lists” section on page 13-37.
Cisco Wide Area Application Services Configuration Guide
13-30
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Table 13-2
Checklist for Configuring SSL Acceleration (continued)
Task
6. Set up CA certificates.
7.
Configure SSL management services.
8.
Configure SSL peering service.
9.
Configure and enable SSL accelerated
services.
Additional Information and Instructions
(Optional) Describes how to select, import, and manage certificate authority
(CA) certificates. For more information, see the “Working with Certificate
Authorities” section on page 13-39.
(Optional) Describes how to configure the SSL connections used between
the Central Manager and WAE devices. For more information, see the
“Configuring SSL Management Services” section on page 13-43.
(Optional) Describes how to configure the SSL connections used between
peer WAE devices for carrying optimized SSL traffic. For more information,
see the “Configuring SSL Peering Service” section on page 13-45.
Describes how to add, configure, and enable services to be accelerated by the
SSL application optimization feature. For more information, see the “Using
SSL Accelerated Services” section on page 13-47.
Preparing to Use SSL Acceleration
Before you configure SSL acceleration, you should know the following information:
•
The services that you want to be accelerated on the SSL traffic
•
The server IP address and port information
•
The public key infrastructure (PKI) certificate and private key information, including the certificate
common name and certificate authority signing information
•
The cipher suites supported
•
The SSL versions supported
Figure 13-14 shows how the WAAS software handles SSL application optimization.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-31
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-14
SSL Acceleration Block Diagram
Admin Browser
CM Administration
Admin Service
Central Manager
CM to Branch WAE
Management Service
Branch WAE
SSL Service - TCP connection carrying SSL
traffic on a well known TCP Prot (e.g. 443)
CM to Data Center WAE
Management Service
WAE to WAE
Peering Service
Data Center WAE
Common Name =
hr.analog.com
WAN1
Branch WAN
Router
Client to Server
Accelerated Service
Data Center WAN
Router
Client to Data Center SSL
Session
Server
Core to Server SSL
Session
SSL Data
SSL Sessions
TCP Session
243495
Client
When you configure SSL acceleration, you must configure SSL accelerated service on the server-side
(Data Center) WAE devices. The client-side (Branch) WAE needs to have its secure store initialized and
unlocked/opened, but does not need to have the SSL accelerated service configured. However, the SSL
accelerator must be enabled on both Data Center and Branch WAEs for SSL acceleration services to
work. The WAAS Central Manager provides SSL management services and maintains the encryption
certificates and keys.
Enabling Secure Store, the Enterprise License, and SSL Acceleration
Before you can use SSL acceleration on your WAAS system, you must perform the following steps:
Step 1
Enable secure store encryption on the Central Manager.
To enable secure store encryption, see the “Configuring Secure Store Settings” section on page 10-10.
Step 2
Enable the Enterprise license.
To enable the Enterprise license, see the “Managing Software Licenses” section on page 10-3.
Step 3
Enable SSL acceleration on devices.
To enable the SSL acceleration feature, see the “Enabling and Disabling the Global Optimization
Features” section on page 13-3.
Cisco Wide Area Application Services Configuration Guide
13-32
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
If the SSL accelerator is already running, you must wait 2 datafeed poll cycles when registering a new
WAE with a Central Manager before making any configuration changes, otherwise the changes may not
take effect.
Configuring SSL Global Settings
To configure the basic SSL acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (see Figure 13-15).
Figure 13-15
Step 3
SSL Global Settings Window
To configure a device to use the SSL settings from a particular device group, choose the device group
from Select a Device Group drop-down list located in SSL global settings toolbar. A device can either
use its own SSL settings, or SSL settings from a device group. However, it is not possible to configure
a device to use SSL settings from multiple device groups.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-33
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 4
In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3
protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to accept both
SSL3 and TLS1 SSL protocols.
Step 5
(Optional) Set the Online Certificate Status Protocol (OCSP) parameters for certificate revocation:
a.
In the OCSP Revocation check drop-down list, select the OCSP revocation method.
Choose ocsp-url SSL accelerator to use OCSP responder specified in the OCSP Responder URL
field to check the revocation status of certificates. Choose ocsp-cert-url to use the OCSP responder
URL specified in the Certificate Authority certificate that signed the certificate.
b.
If the Ignore OCSP failures check box is enabled, the SSL accelerator will treat the OCSP
revocation check as successful if it did not get a definite response from the OCSP responder.
Step 6
In the Cipher List field, choose a list of cipher suites to be used for SSL acceleration. For more
information, see the “Working with Cipher Lists” section on page 13-37.
Step 7
Choose a certificate/key pair method (see Figure 13-16).
Figure 13-16
Configuring Service Certificate and Private Key
•
Click Generate Self-signed Certificate Key to have the WAAS devices use a self-signed
certificate/key pair for SSL.
•
Click Import Existing Certificate Key to upload or paste an existing certificate/key pair.
•
Click Export Certificate Key to export the current certificate/key pair.
•
Click Generate Certificate Signing Request to renew or replace the existing certificate/key pair.
The certificate signing request (CSR) is used by the Certificate Authority to generate a new
certificate.
The file that you import or export must be in either a PKCS12 format or a PEM format.
For service certificate and private key configuration steps, see the “Configuring a Service Certificate and
Private Key” section on page 13-34.
Step 8
Click Submit.
Configuring a Service Certificate and Private Key
To configure a service certificate and private key, follow these steps:
Step 1
To generate a self-signed certificate and private key (see Figure 13-17), follow these steps:
Cisco Wide Area Application Services Configuration Guide
13-34
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-17
Step 2
Self-Signed Certificate and Private Key
a.
Check the Mark private key as exportable check box to export this certificate/key in the WAAS
Central Manager and device CLI later.
b.
Fill in the certificate and private key fields.
To import an existing certificate or certificate chain and, optionally, private key (see Figure 13-18),
follow these steps:
Note
WAAS SSL feature only supports RSA signing/encryption algorithm and keys.
Figure 13-18
a.
Importing Existing Certificate or Certificate Chain
Check the Mark private key as exportable check box to export this certificate/key in the WAAS
Central Manager and device CLI later.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-35
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
b.
To import existing certificate or certificate chain and private key, perform one of the following:
•
Upload certificate and key in PKCS#12 format (also as Microsoft PFX format)
•
Upload certificate and private key in PEM format
•
Paste certificate and private key PEM content
If the certificate and private key are already configured, you can update the certificate only. In this
case, the Central Manager constructs the certificate and private key pair using the imported
certificate and current private key. This functionality can be used to update an existing self-signed
certificate to one signed by the Certificate Authority, or to update an expiring certificate.
The Central Manager allows importing a certificate chain consisting of an end certificate that must
be specified first, a chain of intermediate CA certificates that sign the end certificate or intermediate
CA certificate, and end with a root CA.
The Central Manager validates the chain and rejects it if the validity date of the CA certificate is
expired, or the signing order of certificates in the chain is not consequent.
c.
Step 3
Enter a pass-phrase to decrypt the private key, or leave this field empty if the private key is not
encrypted.
To export a configured certificate and private key (see Figure 13-19), follow these steps:
Figure 13-19
a.
Enter the encryption pass-phrase.
b.
Export current certificate and private key in either PKCS#12 or PEM formats. In case of PEM format
both certificate and private key are included in single PEM file.
Note
Step 4
Export Certificate and Key
Central Manager will not allow exporting certificate and private key if the certificate and key
were marked as non-exportable when they were generated or imported.
To generate a certificate signing request from a current certificate and private key (see Figure 13-20),
follow these steps:
Cisco Wide Area Application Services Configuration Guide
13-36
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-20
Generate Certificate Signing Request
To update the current certificate with one signed by the Certificate Authority:
a.
Generate PKCS#10 certificate signing request.
b.
Send generated certificate signing request to Certificate Authority to generate and sign certificate.
c.
Import certificate received from the Certificate Authority using the Importing existing certificate
and optionally private key option.
Note
The size of the key for a generated certificate request is the same as the size of the key in the
current certificate.
Working with Cipher Lists
Cipher lists are sets of cipher suites that you can assign to your SSL acceleration configuration. A cipher
suite is an SSL encryption method that includes the key exchange algorithm, the encryption algorithm,
and the secure hash algorithm.
To configure a cipher list, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Cipher Lists.
The SSL Cipher Lists window appears (see Figure 13-21).
Note
For a WAAS Express device, the SSL Cipher Lists window shows the same name and cipher
fields but in a slightly different format.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-37
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-21
Step 3
SSL Cipher Lists Window
Click Create to add a new cipher list.
The Creating New SSL Cipher List window appears (see Figure 13-22).
Note
For a WAAS Express device, click Add Cipher List to add a new cipher list.
Figure 13-22
Creating New SSL Cipher List Window
Step 4
Type a name for your cipher list in the Cipher List Name field.
Step 5
Click Add Cipher to add cipher suites to your cipher list.
Note
For a WAAS Express device, select the ciphers you wish to add. Skip to Step 12.
Cisco Wide Area Application Services Configuration Guide
13-38
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 6
Choose the cipher suite that you want to add in the Ciphers field.
Note
Step 7
If you are establishing an SSL connection to a Microsoft IIS server, do not select a DHE-based
cipher suite.
Choose the priority for the selected cipher suite in the Priority field.
Note
When SSL peering service is configured, the priority associated with a cipher list on a core
device takes precedence over the priority associated with a cipher list on an edge device.
Step 8
Click Add to include the selected cipher suite on your cipher list, or click Cancel to leave the list as it is.
Step 9
Repeat Step 5 through Step 8 to add more cipher suites to your list as desired.
Step 10
(Optional) To change the priority of a cipher suite, check the cipher suite check box and then use the up
or down arrow buttons located below the cipher list to prioritize.
Note
The client-specified order for ciphers overrides the cipher list priority assigned here if the cipher
list is applied to an accelerated service. The priorities assigned in this cipher list are only
applicable if the cipher list is applied to SSL peering and management services.
Step 11
(Optional) To remove a cipher suite from the list, check the cipher suite’s box and then click Delete.
Step 12
Click Submit when you are done configuring the cipher list.
Note
For a WAAS Express device, click OK to save the cipher list configuration.
SSL configuration changes will not be applied on the device until the security license has been
enabled on the device.
Working with Certificate Authorities
The WAAS SSL acceleration feature allows you to configure the Certificate Authority (CA) certificates
used by your system. You can use one of the many well-known CA certificates that is included with
WAAS or import your own CA certificate.
To manage your CA certificates, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Certificate Authorities.
The SSL CA Certificate List window appears (see Figure 13-23).
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-39
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
For a WAAS Express device, the SSL CA Certificate List window shows the same Name, Issued
To, Issuer, Expiry Date fields but in a slightly different format.
There is also an Aggregate Settings field configurable as Yes or No. To finish the procedure for
WAAS Express, skip to Step 4.
Figure 13-23
Step 3
Step 4
SSL CA Certificate List Window
Add one of the preloaded CA certificates that is included with WAAS as follows:
a.
Click Well-known CAs.
b.
Choose the pre-existing CA certificate you want to add and click Import. The CA certificate that
you selected is added to the list on the SSL CA Certificate List display.
Add your own CA certificate as follows:
a.
Click Create. The Creating New CA Certificate window appears (see Figure 13-24).
Note
For a WAAS Express device, click Add CA to add your own CA certificate. Enter the name
and the URL, then click Get CA Certificate. Skip to Step 6.
Cisco Wide Area Application Services Configuration Guide
13-40
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-24
Creating New CA Certificate Window
b.
Type a name for the certificate in the Certificate Name field.
c.
(Optional) Type a description of the CA certificate in the Description field.
d.
Choose disabled in the Revocation check drop-down list to disable OCSP revocation of certificates
signed by this CA. Check the Ignore OCSP failures check box to mark revocation check successful
if the OCSP revocation check failed.
e.
Add the certificate information by choosing on of the following methods:
– Upload PEM File
If you are uploading a file, it must be in a Privacy Enhanced Mail (PEM) format. Browse to the
file that you want to use and click Upload.
– Paste PEM Encoded Certificate
If you are pasting the CA certificate information, paste the text of the PEM format certificate
into the Paste PEM Encoded certificate field.
– Get CA Certificate using SCEP
This option automatically configures the certificate authority using Simple Certificate
Enrollment Protocol. If you are using the automated certificate enrollment procedure, enter the
CA URL and click Get Certificate. The contents of the certificate is displayed in text and PEM
formats.
To complete the automated certificate enrollment procedure, you must configure the SSL auto
enrollment settings in the “SSL Auto Enrollment” section on page 13-42.
f.
Click Submit to save your changes.
Step 5
(Optional) To remove a Certificate Authority from the list, select it and then click the Delete icon located
in the toolbar.
Step 6
Click Submit when you are done configuring the CA certificate list.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-41
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
For a WAAS Express device, click OK to save the CA certificate configuration.
SSL Auto Enrollment
The WAAS SSL acceleration feature allows you to enroll certificates automatically for a device (or
device group) using SCEP. Once the CA certificate his been obtained, SSL auto enrollment settings must
be configured.
Note
You must configure the applicable certificate authority before configuring auto enrollment settings.
To configure SSL auto enrollment settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Auto Enrollment.
The SSL Auto Enrollment Settings window appears (see Figure 13-25).
Figure 13-25
Step 3
SSL Auto Enrollment Settings Window
Configure the following CA settings:
•
CA URL
•
CA—Select the appropriate CA from the list
•
Challenge Password
Cisco Wide Area Application Services Configuration Guide
13-42
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
Step 4
CA, CA URL, and challenge password settings are mandatory for enabling SSL auto enrollment.
Configure the following Certificate Signing Request settings:
•
Common Name
•
Organization and Organization Unit
•
Location, State, and Country
•
Email-Id
Step 5
Configure the key size: 512, 768, 1024, 1536, or 2048
Step 6
Check the Enable Enroll box.
Step 7
Click Submit.
You can then check the enrollment status in the Machine Certificate section on the SSL Global Settings
page and on the Alerts page.
Configuring SSL Management Services
SSL management services are the SSL configuration parameters that affect secure communications
between the Central Manager and the WAE devices (see Figure 13-14 on page 13-32). The
certificate/key pairs used are unique for each WAAS device, and so SSL management services can only
be configured for individual devices, not device groups.
To configure SSL management services, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Security > Management Service.
The Management Services window appears (see Figure 13-26).
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-43
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-26
Step 3
SSL Management Services Window
In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3
protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both
SSL3 and TLS1 SSL protocols.
Note
Management service SSL version and cipher settings configured for the WAAS Central Manager
are also applied to SSL connections between the WAAS Central Manager and the browser of the
user.
Primary and standby Central Managers must share a common management service version or
cipher list. Changing the management service version and cipher list settings may result in a loss
of connectivity between primary Central Manager and standby Central Manager and WAE
devices.
Table 13-3 shows the cipher lists supported with Internet Explorer and Mozilla Firefox:
Table 13-3
Cipher Lists Supported with Internet Explorer and Mozilla Firefox
Cipher
Internet Explorer
Firefox
dhe-rsa-with-aes-256-cbc-sha
Supported in IE7/Vista
Supported
rsa-with-aes-256-cbc-sha
Supported in IE7/Vista
Supported
dhe-rsa-with-aes-128-cbc-sha
Supported in IE7/Vista
Supported
rsa-with-aes-128-cbc-sha
Supported in IE7/Vista
Supported
dhe-rsa-with-3des-ede-cbc-sha
Not enabled by default
Supported
rsa-with-3des-ede-cbc-sha
Not enabled by default
Supported
rsa-with-rc4-128-sha
Supported
Supported
Cisco Wide Area Application Services Configuration Guide
13-44
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Table 13-3
Cipher Lists Supported with Internet Explorer and Mozilla Firefox
Cipher
Internet Explorer
Firefox
rsa-with-rc4-128-md5
Supported
Supported
dhe-rsa-with-des-cbc-sha
Not Supported
Not enabled by default
rsa-export1024-with-rc4-56-sha
Supported
Not enabled by default
rsa-export1024-with-des-cbc-sha
Supported
Not enabled by default
dhe-rsa-export-with-des40-cbc-sha
Not Supported
Not Supported
rsa-export-with-des40-cbc-sha
Not Supported
Not Supported
rsa-export-with-rc4-40-md5
Supported
Supported
Note
Both Mozilla Firefox and Internet Explorer support SSLv3 and TLSv1 protocols, however
TLSv1 may not be enabled by default. Therefore, you need to enable it in your browser.
Configuring ciphers or protocols that are not supported in your browser will result in connection
loss between the browser and the Central Manager. If this occurs, configure the Central Manager
management service SSL settings to the default in the CLI to restore the connection.
Some browsers, such as Internet Explorer, do not correctly handle a change of SSL version and
cipher settings on the Central Manager, which can result in the browser showing an error page
after submitting changes. If this occurs, reload the page.
Step 4
In the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration. See the “Working
with Cipher Lists” section on page 13-37 for additional information.
Configuring SSL Peering Service
SSL peering service configuration parameters control secure communications established by the SSL
accelerator between WAE devices while optimizing SSL connections (see Figure 13-14 on page 13-32).
The peering service certificate and private key is unique for each WAAS device and can only be
configured for individual devices, not device groups.
To configure SSL peering service, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Security > Peering Service.
The Peering Service window appears (see Figure 13-27).
Note
For a WAAS Express device, the Peering Service window shows a subset of the fields in the
standard Peering Service window in a slightly different format.
Cipher list Priority setting and Disable revocation check of peer certificates option are not
applicable to WAAS Express.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-45
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-27
Step 3
SSL Peering Service Window
In the SSL Version field, choose the type of SSL protocol to use, or choose Inherited to use the SSL
protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose TLS1
for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL
protocols.
Note
For a WAAS Express device, only SSL3 and TLS1 are supported for the SSL Version.
Step 4
To enable verification of peer certificates check Enable Certificate Verification check box. If certificate
verification is enabled, WAAS devices that use self-signed certificates will not be able to establish
peering connections to each other and, thus, not be able to accelerate SSL traffic.
Step 5
Check the Disable revocation check for this service check box to disable OCSP certificate revocation
checking.
Note
Step 6
For a WAAS Express device, this option is not applicable.
In the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration between the WAE
device peers, or choose Inherited to use the cipher list configured in SSL global settings.
Note
For a WAAS Express device, the list of cipher suites to be used for SSL acceleration is shown
in the Cipher List pane.
See the “Working with Cipher Lists” section on page 13-37 for additional information.
Step 7
Click Submit.
Cisco Wide Area Application Services Configuration Guide
13-46
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
For a WAAS Express device, SSL configuration changes will not be applied on the device until
the security license has been enabled on the device.
Using SSL Accelerated Services
After you have enabled and configured SSL acceleration on your WAAS system, you must define at least
one service to be accelerated on the SSL path. To configure SSL accelerated services, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > SSL Accelerated Services.
Step 3
To delete an accelerated service, select the service and click Delete.
Step 4
Click Create to define a new accelerated service. A maximum of 512 accelerated services are allowed.
The Basic SSL Accelerated Services Configuration window appears (see Figure 13-28).
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-47
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-28
SSL Accelerated Services—Basic Window
Step 5
Type a name for the service in the Service Name field.
Step 6
To enable this accelerated service, check the In service check box.
Step 7
To enable client version rollback check, check the Client version rollback check check box.
Enabling the client version rollback check does not allow connections with an incorrect client version to
be optimized.
Step 8
(Optional) Type a description of the service in the Description field.
Step 9
From the Server drop-down list, choose IP Address, Hostname, or Domain as the SSL service endpoint
type. Type the server IP address, hostname, or domain of the accelerated server. Use the keyword Any
to specify any server IP address. A maximum of 32 IP addresses, 32 hostnames, and 32 domains are
allowed.
Note
Hostname and domain server address types are supported only when using WAAS software
version 4.2.x or later. Server IP address keyword Any is supported only when using WAAS
Software version 4.2.x or later.
Cisco Wide Area Application Services Configuration Guide
13-48
OL-27981-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 10
Type the port associated with the service to be accelerated. Click Add to add each address. If you specify
a server hostname, the Central Manager resolves the hostname to the IP address and adds it to the Server
IP/Ports table.
Step 11
Click Delete to remove an IP address from the list.
Step 12
Choose a certificate and key pair method (see Figure 13-29).
Figure 13-29
Configuring Service Certificate and Private Key
•
Click Generate Self-signed Certificate Key to have the WAAS devices use a self-signed
certificate/key pair for SSL.
•
Click Import Existing Certificate Key to upload or paste an existing certificate/key pair.
•
Click Export Certificate Key to export the current certificate/key pair.
•
Click Generate Certificate Signing Request to renew or replace the existing certificate/key pair.
The certificate signing request (CSR) is used by the Certificate Authority to generate a new
certificate.
The file that you import or export must be in either a PKCS12 format or a PEM format.
For service certificate and private key configuration steps, see the “Configuring a Service Certificate and
Private Key” section on page 13-34.
Note
Step 13
If you change the certificate or key for an existing SSL accelerated service, you must uncheck
the In service check box and click Submit to disable the service, then wait 5 minutes and check
the In service check box and click Submit to reenable the service. Alternatively, at the WAE,
you can use the no inservice SSL accelerated service configuration command, wait a few
seconds, and then use the inservice command. If you are changing the certificate or key for
multiple SSL accelerated services, you can restart all accelerated services by disabling and then
reenabling the SSL accelerator.
Click the Advanced Settings tab to configure SSL parameters for the service. The Advanced SSL
Accelerated Services Configuration window appears (see Figure 13-30).
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-49
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-30
SSL Accelerated Services—Advanced Window
Step 14
(Optional) In the SSL version field, choose the type of SSL protocol to use, or choose Inherited to use
the SSL protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose
TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1
SSL protocols.
Step 15
(Optional) In the Cipher List field, choose a list of cipher suites to be used for SSL acceleration between
the WAE device peers, or choose Inherited to use the cipher list configured in SSL global settings. For
more information, see the “Working with Cipher Lists” section on page 13-37.
Step 16
(Optional) To set the Online Certificate Status Protocol (OCSP) parameters for certificate revocation,
follow these steps:
a.
To enable verification of client certificate check, check the Verify client certificate check box.
b.
Check the Disable revocation check for this service check box to disable OCSP client certificate
revocation checking.
c.
To enable verification of server certificate check, check the Verify server certificate check box.
d.
Check the Disable revocation check for this service check box to disable OCSP server certificate
revocation checking.
Note
If the server and client devices are using self-signed certificates and certificate verification is
enabled, WAAS devices will not be able to accelerate SSL traffic.
Cisco Wide Area Application Services Configuration Guide
13-50
OL-27981-01
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Step 17
Click Submit when you have finished configuring the SSL accelerated service.
Creating a New Traffic Optimization Policy
Table 13-4 provides an overview of the steps that you must complete to create a new traffic optimization
policy.
Table 13-4
Checklist for Creating a New Optimization Policy
Task
1. Prepare for creating an optimization
policy.
2.
Create an application definition.
3.
Create an optimization policy.
Additional Information and Instructions
Provides the tasks you need to complete before creating a new optimization
policy on your WAAS devices. For more information, see the “Preparing to
Create an Optimization Policy” section on page 13-51.
Identifies general information about the application you want to optimize,
such as the application name and whether the WAAS Central Manager
collects statistics about this application. For more information, see the
“Creating an Application Definition” section on page 13-52.
Determines the type of action your WAAS device or device group performs
on specific application traffic. This step requires you to do the following:
•
Create application class maps that allow a WAAS device to identify
specific types of traffic. For example, you can create a condition that
matches all traffic going to a specific IP address.
•
Specify the type of action your WAAS device or device group performs
on the defined traffic. For example, you can specify that WAAS should
apply TFO and LZ compression to all traffic for a specific application.
For more information, see the “Creating an Optimization Policy” section on
page 13-53.
Preparing to Create an Optimization Policy
Before you create a new optimization policy, complete the following preparation tasks:
•
Review the list of optimization policies on your WAAS system and make sure that none of these
policies already cover the type of traffic you want to define. To view a list of the predefined policies
that come bundled with the WAAS system, see Appendix A, “Predefined Optimization Policy.”
•
Identify a match condition for the new application traffic. For example, if the application uses a
specific destination or source port, you can use that port number to create a match condition. You
can also use a source or destination IP address for a match condition.
•
Identify the device or device group that requires the new optimization policy. We recommend you
create optimization policies on device groups so the policy is consistent across multiple WAAS
devices.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-51
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Creating an Application Definition
The first step in creating an optimization policy is to set up an application definition that identifies
general information about the application, such as the application name and whether you want the WAAS
Central Manager to collect statistics about the application. You can create up to 255 application
definitions on your WAAS system.
To create an application definition, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Acceleration > Applications.
The Applications window appears, which displays a list of all applications on your WAAS system. It also
lists the device or device group from which it gets the settings. From this window, you can perform the
following tasks:
•
Select an application and click the Edit icon in the task bar to modify or click the Delete icon in the
task bar to delete.
•
Determine if your WAAS system is collecting statistics on an application. The Enable Statistics
column displays Yes if statistics are being collected for the application.
•
Create a new application as described in the steps that follow.
Click the Add Application icon in the taskbar. The Application window appears.
Step 2
Enter a name for this application.
The name cannot contain spaces and special characters.
Step 3
(Optional) Enter a comment in the Comments field.
The comment you enter appears in the Applications window.
Step 4
Check the Enable Statistics check box to allow the WAAS Central Manager to collect data for this
application. To disable data collection for this application, uncheck this box.
The WAAS Central Manager GUI can display statistics for up to 25 applications and 25 class maps. An
error message is displayed if you try to enable more than 25 statistics for either. However, you can use
the WAAS CLI to view statistics for all applications that have policies on a specific WAAS device. For
more information, refer to the Cisco Wide Area Application Services Command Reference.
If you are collecting statistics for an application and decide to disable statistics collection, then reenable
statistics collection at a later time, the historical data will be retained, but a gap in data will exist for the
time period when statistics collection was disabled. An application cannot be deleted if there is an
optimization policy using it. However, if you delete an application that you had collected statistics for,
then later recreate the application, the historical data for the application will be lost. Only data since the
recreation of the application will be displayed.
Note
Step 5
The WAAS Central Manager does not start collecting data for this application until you finish
creating the entire optimization policy.
Click OK.
The application definition is saved and is displayed in the application list.
Cisco Wide Area Application Services Configuration Guide
13-52
OL-27981-01
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Creating an Optimization Policy
After you create an application definition, you need to create an optimization policy that determines the
action a WAAS device takes on the specified traffic. For example, you can create an optimization policy
that makes a WAAS device apply TCP optimization and compression to all application traffic that travels
over a specific port or to a specific IP address. You can create up to 512 optimization policies on your
WAAS system.
The traffic matching rules are contained in the application class map. These rules, known as match
conditions, use Layer 2 and Layer 4 information in the TCP header to identify traffic.
To create an optimization policy, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears. (See Figure 13-31.)
Note
For a WAAS Express device, the Optimization Policies window shows a subset of the fields in
the standard Optimization Policies window.
Enable Service Policy option, DSCP option, and the Protocol column in the list of policy rules
are not applicable to WAAS Express.
Figure 13-31
Optimization Policies Window
This window displays information about all optimization policies that reside on the selected device or
device group and the position of each policy. The position determines the order in which WAAS refers
to that policy when determining how to handle application traffic. To change the position of a policy, see
the “Modifying the Position of an Optimization Policy” section on page 13-61. This window also
displays the class map, source and destination IP addresses, source and destination ports, protocol,
application, action, and accelerate assigned to each policy.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-53
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Note
If there are version 4.x devices, you can click the Legacy View taskbar icon to view the policies
as they appear in a 4.x device.
From the Optimization Policies window, you can perform the following tasks:
•
Configure a description, configure the Enable Service Policy setting, and configure the DSCP
setting. This DSCP setting field configures DSCP settings at the device (or device group) level.
Note
Step 3
The device will only use this policy setting to determine what optimizations are done if
Enable Service Policy is set.
•
Select one or more optimization policies that you want to delete, and click the Delete icon to delete
the checked policies.
•
Select an optimization policy and click the Edit icon to modify the checked policy.
•
Restore predefined policies and class maps. For more information, see the “Restoring Optimization
Policies and Class Maps” section on page 13-60.
•
Create an optimization policy as described in the steps that follow.
Click the Add Policy Rule icon in the taskbar to create a new optimization policy.
The Optimization Policy Rule pop-up window appears. (See Figure 13-32.)
Figure 13-32
Step 4
Add Optimization Policy Rule Window
Choose the class map from the Class-Map Name drop-down list to select an existing class map for this
policy or click Create New to create a new class map for this policy.
If you are selecting an existing class map, skip the next step.
Step 5
Complete the following steps to create a new class map:
a.
Enter a name for this application class map. The name cannot contain spaces or special characters.
Note
For WAAS Express, the class map name cannot contain the following prefixes (case
sensitive): Class, optimize, passthrough, application, accelerate, tfo, dre, lz, or
sequence-interval. Existing class map names containing any of these prefixes must be
changed manually.
b.
(Optional) Enter a description.
c.
From the Type drop-down list, choose the class map type. Once you have chosen the type, you can
enter the match conditions.
Cisco Wide Area Application Services Configuration Guide
13-54
OL-27981-01
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
d.
Click the Add Match Condition icon to enter the conditions. (See Figure 13-33.)
Note
For a WAAS Express device, Protocol and EPM Custom UUID settings are not applicable.
Figure 13-33
e.
Adding a New Match Condition Window
Enter a value in one of the destination or source condition fields to create a condition for a specific
type of traffic.
For example, to match all traffic going to IP address 10.10.10.2, enter that IP address in the
Destination IP Address field.
Note
To specify a range of IP addresses, enter a wildcard subnet mask in either the destination or
source IP Wildcard field in dotted decimal notation (such as 0.0.0.255 for /24).
If you want to match traffic that uses dynamic port allocation, choose the application identifier from
the Protocol drop-down list. For example, to match Microsoft Exchange Server traffic that uses the
MAPI protocol, choose mapi. If you want to enter a custom EPM UUID, choose epm-uuid and enter
the UUID in the EPM Custom UUID field.
f.
Step 6
Add additional match conditions as needed and click OK to save the class map. If any one of the
conditions is matched, the class is considered matched. You return to creating a new policy in the
Optimization Policy window.
From the Action drop-down list, choose the action that your WAAS device should take on the defined
traffic. Table 13-5 describes each action.
Note
For a WAAS Express device, only a subset of the actions are available. These include:
Passthrough, TFO Only, TFO with LZ, TFO with DRE, and TFO with DRE and LZ.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-55
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Table 13-5
Action Descriptions
Action1
Passthrough
Description
Prevents the WAAS device from optimizing the application traffic defined
in this policy by using TFO, DRE, or compression. Traffic that matches
this policy can still be accelerated if an accelerator is chosen from the
Accelerate drop-down list.
TFO Only
Applies a variety of transport flow optimization (TFO) techniques to
matching traffic. TFO techniques include BIC-TCP, window size
maximization and scaling, and selective acknowledgement. For a more
detailed description of the TFO features, see the “TFO Optimization”
section on page 1-4.
TFO with DRE (Adaptive Applies both TFO and DRE with adaptive caching to matching traffic.
Cache)
TFO with DRE
Applies both TFO and DRE with unidirectional caching to matching
(Unidirectional Cache)
traffic.
TFO with DRE
Applies both TFO and DRE with bidirectional caching to matching traffic.
(Bidirectional Cache)
TFO with LZ
Applies both TFO and the LZ compression algorithm to matching traffic.
Compression
LZ compression functions similarly to DRE but uses a different
compression algorithm to compress smaller data streams and maintains a
limited compression history.
TFO with DRE (Adaptive Applies TFO, DRE with adaptive caching, and LZ compression to
Cache) and LZ
matching traffic.
Applies TFO, DRE with unidirectional caching, and LZ compression to
TFO with DRE
matching traffic.
(Unidirectional Cache)
and LZ
TFO with DRE
Applies TFO, DRE with bidirectional caching, and LZ compression to
(Bidirectional Cache) and matching traffic.
LZ
1. When configuring a device running a WAAS version prior to 4.4.1, options that include Unidirectional or Adaptive caching
are not shown in the Action list.
Note
When ICA acceleration is enabled, all connections are processed with the DRE mode as
unidirectional. Acceleration type is shown as TIDL (TCP optimization, ICA acceleration, DRE,
LZ).
Note
When configuring optimization policies on a device group, if the device group contains devices
running a WAAS version prior to 4.4.1 and you are configuring an action that includes
Unidirectional or Adaptive caching, the caching mode is converted to bidirectional. Similarly,
when devices running WAAS versions prior to 4.4.1 join a device group that is configured with
optimization policies that use Unidirectional or Adaptive caching, the caching mode is converted
to bidirectional. In such cases, we recommend that you upgrade all devices to the same software
version or create different device groups for devices with incompatible versions.
Cisco Wide Area Application Services Configuration Guide
13-56
OL-27981-01
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Step 7
From the Accelerate drop-down list, choose one of the following additional acceleration actions that
your WAAS device should take on the defined traffic:
•
None—No additional acceleration is done.
•
MS PortMapper—Accelerate using the Microsoft Endpoint Port Mapper (EPM).
•
CIFS Adaptor—Accelerate using the CIFS or SMB Accelerators.
•
HTTP Adaptor—Accelerate using the HTTP Accelerator.
•
MAPI Adaptor—Accelerate using the MAPI Accelerator.
•
NFS Adaptor—Accelerate using the NFS Accelerator.
•
Video Adaptor—Accelerate using the Video Accelerator.
•
ICA Adaptor—Accelerate using the ICA Accelerator.
Note
Step 8
Step 9
For a WAAS Express device, the available accelerators are CIFS Express and HTTP Express.
Specify the application that you want to be associated with this policy by doing either of the following:
•
From the Application drop-down list, choose an existing application like the one that you created in
the “Creating an Application Definition” section on page 13-52. This list displays all predefined and
new applications on your WAAS system.
•
Click New Application to create an application. You can specify the application name and enable
statistics collection. After specifying the application details, click OK to save the new application
and return to the Optimization Policy window. The new application is automatically assigned to this
device or device group.
(Optional) Choose a value from the DSCP Marking drop-down list. You can choose copy, which copies
the DSCP value from the incoming packet and uses it for the outgoing packet. If you choose
inherit-from-name from the drop-down list, the DSCP value defined at the application or global level is
used.
DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic.
Levels of service are assigned by marking each packet on the network with a DSCP code and associating
a corresponding level of service. DSCP is the combination of IP Precedence and Type of Service (ToS)
fields. For more information, see RFC 2474.
DSCP marking does not apply to pass-through traffic.
Note
For a WAAS Express device, the DSCP Marking drop-down list is not shown.
For the DSCP marking value, you can choose to use the global default values (see the “Defining Default
DSCP Marking Values” section on page 13-61) or select one of the other defined values. You can choose
copy, which copies the DSCP value from the incoming packet and uses it for the outgoing packet.
Step 10
Click OK.
The new policy appears in the Optimization Policies window. (See Figure 13-31 on page 13-53.)
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-57
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
Managing Application Acceleration
This section contains the following topics:
•
Modifying the Accelerator Load Indicator Threshold, page 13-58
•
Viewing a List of Applications, page 13-58
•
Viewing a Policy Report, page 13-59
•
Viewing a Class Map Report, page 13-59
•
Restoring Optimization Policies and Class Maps, page 13-60
•
Monitoring Applications and Class Maps, page 13-60
•
Defining Default DSCP Marking Values, page 13-61
•
Modifying the Position of an Optimization Policy, page 13-61
•
Modifying the Acceleration TCP Settings, page 13-63
Modifying the Accelerator Load Indicator Threshold
To modify the accelerator load indicator threshold for a WAE device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Accelerator Threshold. The Accelerator Threshold window
appears.
Step 3
In the Accelerator Load Indicator Threshold field, enter a percent value between 80 and 100. The
default is 95.
Step 4
Click Submit.
Viewing a List of Applications
To view a list of applications that reside on a WAE device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Optimization Policies. The Optimization Policies window
appears.
Step 3
Click the Application column header to sort the column by application name so you can more easily
locate a specific application.
Note
If there are version 4.x devices, you can click the Legacy View taskbar icon to view the policies
as they appear in a 4.x device.
To edit an optimization policy, check the box next to the application and click the Edit taskbar icon.
Cisco Wide Area Application Services Configuration Guide
13-58
OL-27981-01
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
If you determine that one or more policies are not needed, check the box next to each unneeded
application and click the Delete taskbar icon.
If you determine that a new policy is needed, click the Add Policy Rule taskbar icon to create the policy
(see the “Creating an Optimization Policy” section on page 13-53).
Viewing a Policy Report
To view a report of the policies that reside on each WAE device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Acceleration > Optimization Policy
Report. (See Figure 13-34.)
The Policy Report for Devices tab appears. This report lists each device (or device group) and the overall
policy count on the device (or device group) referencing this application. It includes both active policies
(those in use by the device or device group), and backup policies (those not in use by the device when
the device gets its config from a device group). When the device is deassigned from the device group,
the backup policies are applied back to the device and become active again.
An application cannot be deleted unless the No of Policies field is 0.
Figure 13-34
Optimization Policy Report
Step 2
Select the Policy Report for Device-Groups tab to view the number of devices per device group and the
number of active policies in the device group.
Step 3
To see the optimization policies that are defined on a particular device or group, click the device or group
to view the policies in the Optimization Policies window.
To view a class map report, see the “Viewing a Class Map Report” section on page 13-59.
Viewing a Class Map Report
To view a report of the class maps that reside on each WAE device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Acceleration > Optimization Policy
Report.
The Policy Report for Devices tab appears.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-59
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
Step 2
Click the Class-Map Report tab to view a report of the devices and device groups on which the class
map is configured.
Step 3
Select the class map and click the View icon to see the devices or device groups on which the class maps
reside.
Restoring Optimization Policies and Class Maps
The WAAS system allows you to restore the predefined policies and class maps that shipped with the
WAAS system. For a list of the predefined policies, see Appendix A, “Predefined Optimization Policy.”
If you made changes to the predefined policies that have negatively impacted how a WAAS device
handles application traffic, you can override your changes by restoring the predefined policy settings.
To restore predefined policies and class maps, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears.
Step 3
Click the Restore Default taskbar icon to restore over 150 policies and class maps that shipped with the
WAAS software and remove any new policies that were created on the system. If a predefined policy has
been changed, these changes are lost and the original settings are restored.
Monitoring Applications and Class Maps
After you create an optimization policy, you should monitor the associated application to make sure your
WAAS system is handling the application traffic as expected.
To monitor an application, you must have enabled statistics collection for that application, as described
in the “Creating an Application Definition” section on page 13-52.
To monitor a class map, from the WAAS Central Manager menu, choose Configure > Acceleration >
Monitor Classmaps. Select the class map on which to enable statistics and click the Enable button.
The WAAS Central Manager GUI can display statistics for up to 25 applications and 25 class maps. An
error message is displayed if you try to enable more than 25 statistics for either. However, you can use
the WAAS CLI to view statistics for all applications that have policies on a specific WAAS device. For
more information, refer to the Cisco Wide Area Application Services Command Reference.
You can use the TCP Summary report to monitor a specific application. For more information, see the
“TCP Summary Report” section on page 17-36.
Most charts can be configured to display Class Map data by clicking the chart Edit icon and choosing
the Classifier series.
Cisco Wide Area Application Services Configuration Guide
13-60
OL-27981-01
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
Defining Default DSCP Marking Values
According to policies that you define in an application definition and an optimization policy, the WAAS
software allows you to set a DSCP value on packets that it processes.
A DSCP value is a field in an IP packet that enables different levels of service to be assigned to the
network traffic. The levels of service are assigned by marking each packet on the network with a DSCP
code and associating a corresponding level of service. The DSCP marking determines how packets for a
connection are processed externally to WAAS. DSCP is the combination of IP Precedence and Type of
Service (ToS) fields. For more information, see RFC 2474. DSCP values are predefined and cannot be
changed.
This attribute can be defined at the following levels:
•
Global—You can define global defaults for the DSCP value for each device (or device group) in the
Optimization Policies page for that device (or device group). This value applies to the traffic if a
lower level value is not defined.
•
Policy—You can define the DSCP value in an optimization policy. This value applies only to traffic
that matches the class maps defined in the policy and overrides the application or global DSCP
value.
This section contains the following topic:
•
Defining the Default DSCP Marking Value, page 13-61
Defining the Default DSCP Marking Value
To define the global default DSCP marking value, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Optimization Policies. The Optimization Policies window
appears.
Step 3
Choose a value from the DSCP drop-down list. The default setting is copy, which copies the DSCP value
from the incoming packet and uses it for the outgoing packet.
Step 4
Click OK to save the settings.
Modifying the Position of an Optimization Policy
Each optimization policy has an assigned position that determines the order in which a WAAS device
refers to the policy in an attempt to classify traffic. For example, when a WAAS device intercepts traffic,
it refers to the first policy in the list to try to match the traffic to an application. If the first policy does
not provide a match, the WAAS device moves on to the next policy in the list.
You should consider the position of policies that pass through traffic unoptimized because placing these
policies at the top of the list can cancel out optimization policies that appear farther down the list. For
example, if you have two optimization policies that match traffic going to IP address 10.10.10.2, and one
policy optimizes this traffic and a second policy in a higher position passes through this traffic, then all
traffic going to 10.10.10.2 will go through the WAAS system unoptimized. For this reason, you should
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-61
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
make sure that your policies do not have overlapping matching conditions, and you should monitor the
applications you create to make sure that WAAS is handling the traffic as expected. For more information
on monitoring applications, see Chapter 17, “Monitoring and Troubleshooting Your WAAS Network.”
To modify the position of an optimization policy, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Optimization Policies. The Optimization Policies window
appears. (See Figure 13-35.)
Note
For a WAAS Express device, all policies are grouped under the waas_global category.
For a list of predefined policies, see Appendix A, “Predefined Optimization Policy.”
Figure 13-35
Step 3
Optimization Policies Window
Modify the position of the optimization policy in any of the following ways:
•
Select the policy you would like to move and use the up and down arrow (
taskbar to move that policy higher or lower in the list.
•
Select the policy you would like to move and use the Move To button to specify the exact position.
•
Select the policy and drag and drop it into the desired position
Note
) icons in the
The Save Moved Rows icon must be clicked to save the new policy positions.
You can also create a new optimization policy at a particular position by selecting the policy above the
location and then clicking the Insert button.
If a device goes through all the policies in the list without making a match, then the WAAS device passes
through the traffic unoptimized.
Cisco Wide Area Application Services Configuration Guide
13-62
OL-27981-01
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
Note
For a WAAS Express device, the class-default policy should be last. This policy cannot be
modified or deleted.
Step 4
Click the Save Moved Rows icon to save any changes you made to policy positions.
Step 5
If you determine that a policy is not needed, follow these steps to delete the policy:
a.
Select the policy you want to delete.
b.
Click the Delete icon in the taskbar.
Note
Step 6
A default policy which maps to a default class map matching any traffic cannot be deleted.
If you determine that a new policy is needed, click the Add Policy taskbar icon to create the policy (see
the “Creating an Optimization Policy” section on page 13-53).
Modifying the Acceleration TCP Settings
In most cases, you do not need to modify the acceleration TCP settings because your WAAS system
automatically configures the acceleration TCP settings based on the hardware platform of the WAE
device. WAAS automatically configures the settings only under the following circumstances:
•
When you first install the WAE device in your network.
•
When you enter the restore factory-default command on the device. For more information about
this command, see the Cisco Wide Area Application Services Command Reference.
The WAAS system automatically adjusts the maximum segment size (MSS) to match the advertised MSS
of the client or server for each connection. The WAAS system uses the lower of 1432 or the MSS value
advertised by the client or server.
If your network has high BDP links, you may need to adjust the default buffer settings automatically
configured for your WAE device. For more information, see the “Calculating the TCP Buffers for High
BDP Links” section on page 13-65.
If you want to adjust the default TCP adaptive buffering settings for your WAE device, see the
“Modifying the TCP Adaptive Buffering Settings” section on page 13-65.
To modify the acceleration TCP settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > TCP Settings. The Acceleration TCP Settings window appears.
Step 3
Keep the Send TCP Keepalive check box checked.
Checking the Send TCP Keepalive check box allows this WAE device or group to disconnect the TCP
connection to its peer device if no response is received from the TCP keepalive exchange. In this case,
the two peer WAE devices will exchange TCP keepalives on a TCP connection and if no response is
received for the keepalives for a specific period, the TCP connection will be torn down. When the
keepalive option is enabled, any short network disruption in the WAN will cause the TCP connection
between peer WAE devices to be disconnected.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-63
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
If the Send TCP Keepalive check box is not checked, TCP keepalives will not be sent and connections
will be maintained unless they are explicitly disconnected. By default, this setting is enabled.
Step 4
Modify the TCP acceleration settings as needed. See Table 13-6 for a description of these settings.
For information on how to calculate these settings for high BDP links, see the “Calculating the TCP
Buffers for High BDP Links” section on page 13-65.
Table 13-6
TCP Settings
TCP Setting
Description
Optimized Side
Maximum Segment Size
Send Buffer Size
Receive Buffer Size
Maximum packet size allowed between this WAAS device and other
WAAS devices participating in the optimized connection. The default is
1432 bytes.
Allowed TCP sending buffer size (in kilobytes) for TCP packets sent
from this WAAS device to other WAAS devices participating in the
optimized connection. The default is 32 KB.
Allowed TCP receiving buffer size (in kilobytes) for incoming TCP
packets from other WAAS devices participating in the optimized
connection. The default is 32 KB.
Original Side
Maximum Segment Size
Send Buffer Size
Receive Buffer Size
Maximum packet size allowed between the origin client or server and
this WAAS device. The default is 1432 bytes.
Allowed TCP sending buffers size (in kilobytes) for TCP packets sent
from this WAAS device to the origin client or server. The default is
32 KB.
Allowed TCP receiving buffer size (in kilobytes) for incoming TCP
packets from the origin client or server. The default is 32 KB.
Step 5
If you are deploying the WAE across a high Bandwidth-Delay-Product (BDP) link, you can set
recommended values for the send and receive buffer sizes by clicking the Set High BDP recommended
values button. For more information about calculating TCP buffers for high BDP links, see the
“Calculating the TCP Buffers for High BDP Links” section on page 13-65.
Step 6
Click Submit.
Note
If the original and optimized maximum segment sizes are set to their default values and you configure a
jumbo MTU setting, the segment sizes are changed to the jumbo MTU setting minus 68 bytes. If you
have configured custom maximum segment sizes, their values are not changed if you configure a jumbo
MTU. For more information on jumbo MTU, see the “Configuring a Jumbo MTU” section on page 6-21.
To configure TCP keepalives from the CLI, use the tfo tcp keepalive global configuration command.
To configure TCP acceleration settings from the CLI, use the following global configuration commands:
tfo tcp optimized-mss, tfo tcp optimized-receive-buffer, tfo tcp optimized-send-buffer, tfo tcp
original-mss, tfo tcp original-receive-buffer, and tfo tcp original-send-buffer.
To show the TCP buffer sizes, use the show tfo tcp EXEC command.
Cisco Wide Area Application Services Configuration Guide
13-64
OL-27981-01
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
Calculating the TCP Buffers for High BDP Links
WAAS software can be deployed in different network environments, involving multiple link
characteristics such as bandwidth, latency, and packet loss. All WAAS devices are configured to
accommodate networks with maximum Bandwidth-Delay-Product (BDP) of up to the values listed
below:
•
WAE-512—Default BDP is 32 KB
•
WAE-612—Default BDP is 512 KB
•
WAE-674 —Default BDP is 2048 KB
•
WAE-7341 —Default BDP is 2048 KB
•
WAE-7371 —Default BDP is 2048 KB
•
All WAVE platforms—Default BDP is 2048 KB
If your network provides higher bandwidth or higher latencies are involved, use the following formula
to calculate the actual link BDP:
BDP [Kbytes] = (link BW [Kbytes/sec] * Round-trip latency [Sec])
When multiple links 1..N are the links for which the WAE is optimizing traffic, the maximum BDP
should be calculated as follows:
MaxBDP = Max (BDP(link 1),..,BDP(link N))
If the calculated MaxBDP is greater than the DefaultBDP for your WAE model, the Acceleration TCP
settings should be modified to accommodate that calculated BDP.
Once you calculate the size of the Max BDP, enter a value that is equal to or greater than twice the Max
BDP in the Send Buffer Size and Receive Buffer Size for the optimized connection on the Acceleration
TCP Settings window.
Note
These manually configured buffer sizes apply only if TCP adaptive buffering is disabled. TCP adaptive
buffering is normally enabled, and allows the WAAS system to dynamically vary the buffer sizes. For
more information on TCP adaptive buffering, see the “Modifying the TCP Adaptive Buffering Settings”
section on page 13-65.
Modifying the TCP Adaptive Buffering Settings
In most cases, you do not need to modify the acceleration TCP adaptive buffering settings because your
WAAS system automatically configures the TCP adaptive buffering settings based on the network
bandwidth and delay experienced by each connection. Adaptive buffering allows the WAAS software to
dynamically vary the size of the send and receive buffers to increase performance and more efficiently
use the available network bandwidth.
To modify the acceleration TCP adaptive buffering settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > TCP Adaptive Buffering Settings. The TCP Adaptive Buffering
Settings window appears.
Step 3
To enable TCP adaptive buffering, check the Enable check box. The default is enabled.
Cisco Wide Area Application Services Configuration Guide
OL-27981-01
13-65
Chapter 13
Configuring Application Acceleration
Managing Application Acceleration
Step 4
In the Send Buffer Size and Receive Buffer Size fields, enter the maximum size in kilobytes of the send
and receive buffers.
Step 5
Click Submit.
To configure the TCP adaptive buffer settings from the CLI, use the tfo tcp adaptive-buffer-sizing
global configuration command:
WAE(config)# tfo tcp adaptive-buffer-sizing receive-buffer-max 8192
To disable TCP adaptive buffering from the CLI, use the no tfo tcp adaptive-buffer-sizing enable
global configuration command.
To show the default and configured adaptive buffer sizes, use the show tfo tcp EXEC command.
Cisco Wide Area Application Services Configuration Guide
13-66
OL-27981-01